2.7 Azure VPN Gateway and ExpressRoute
Key Takeaways
- Azure VPN Gateway creates encrypted tunnels between Azure VNets and on-premises networks over the public internet.
- Site-to-Site VPN connects an entire on-premises network to Azure; Point-to-Site VPN connects individual devices.
- Azure ExpressRoute provides a private, dedicated connection between on-premises and Azure that does NOT traverse the public internet.
- ExpressRoute offers higher bandwidth (up to 100 Gbps), lower latency, and more reliability than VPN connections.
- ExpressRoute Global Reach enables direct connectivity between on-premises sites through the Microsoft backbone.
Azure VPN Gateway and ExpressRoute
Quick Answer: VPN Gateway creates encrypted tunnels over the public internet between Azure and on-premises. ExpressRoute provides a private, dedicated connection that does NOT use the public internet. ExpressRoute is faster, more reliable, and more expensive than VPN.
Azure VPN Gateway
Azure VPN Gateway sends encrypted traffic between an Azure virtual network and an on-premises location over the public internet. It can also be used to connect Azure VNets to each other.
VPN Types
| VPN Type | Description | Use Case |
|---|---|---|
| Site-to-Site (S2S) | Connects an entire on-premises network to Azure VNet | Branch office to Azure connectivity |
| Point-to-Site (P2S) | Connects an individual device to Azure VNet | Remote workers connecting to Azure |
| VNet-to-VNet | Connects two Azure VNets via the VPN gateway | Cross-region VNet communication |
VPN Gateway SKUs
Azure VPN Gateways come in different SKUs (sizes) that determine throughput, number of tunnels, and features:
| SKU | Max Throughput | S2S Tunnels | P2S Connections |
|---|---|---|---|
| Basic | 100 Mbps | 10 | 128 |
| VpnGw1 | 650 Mbps | 30 | 250 |
| VpnGw2 | 1 Gbps | 30 | 500 |
| VpnGw3 | 1.25 Gbps | 30 | 1,000 |
| VpnGw5 | 10 Gbps | 100 | 10,000 |
Active-Active vs. Active-Passive
- Active-Passive (default): One gateway instance handles traffic. If it fails, the standby instance takes over (brief interruption).
- Active-Active: Both gateway instances handle traffic simultaneously. If one fails, the other continues without interruption. Recommended for high availability.
Azure ExpressRoute
Azure ExpressRoute provides a private, dedicated connection between your on-premises infrastructure and Microsoft Azure. This connection is established through a connectivity provider (such as AT&T, Equinix, or Verizon) and does NOT travel over the public internet.
Key Benefits
| Benefit | Description |
|---|---|
| Private connection | Traffic does not traverse the public internet |
| Higher bandwidth | Up to 100 Gbps (vs. 10 Gbps max for VPN) |
| Lower latency | Consistent, predictable latency |
| Higher reliability | Dedicated connection with SLA-backed uptime |
| Global reach | Connect to Microsoft services worldwide |
ExpressRoute Connection Models
| Model | Description |
|---|---|
| Co-location at cloud exchange | Your equipment is in the same facility as the cloud provider's edge |
| Point-to-point Ethernet | Dedicated Ethernet link from your premises to Azure |
| Any-to-any (IPVPN) | Integrate Azure into your existing WAN/MPLS network |
| ExpressRoute Direct | Connect directly to Microsoft's global network at 10 Gbps or 100 Gbps |
ExpressRoute Global Reach
ExpressRoute Global Reach enables you to connect your on-premises sites through ExpressRoute circuits using the Microsoft backbone network. For example, if you have offices in New York and London, each with ExpressRoute connections, Global Reach allows those offices to communicate through the Microsoft network instead of over the public internet.
VPN vs. ExpressRoute Comparison
| Feature | VPN Gateway | ExpressRoute |
|---|---|---|
| Connection type | Encrypted tunnel over public internet | Private, dedicated connection |
| Max bandwidth | Up to 10 Gbps | Up to 100 Gbps |
| Latency | Variable (internet-dependent) | Low, consistent |
| Reliability | Good | Excellent (SLA-backed) |
| Encryption | Yes (IPsec/IKE) | Optional (not encrypted by default) |
| Cost | Lower | Higher |
| Setup time | Minutes to hours | Weeks to months (requires connectivity provider) |
| Best for | Small/medium workloads, dev/test | Enterprise workloads, large data transfers, compliance |
On the Exam: ExpressRoute does NOT encrypt traffic by default (it is a private connection, so encryption is optional). VPN Gateway ALWAYS encrypts traffic via IPsec. If the question asks about encryption over a private connection, ExpressRoute can be combined with VPN for encryption.
Which Azure service provides a private, dedicated connection to Azure that does NOT use the public internet?
What is the maximum bandwidth for an ExpressRoute connection?
Does Azure ExpressRoute encrypt traffic by default?
A remote employee needs to connect their laptop to the company's Azure VNet. Which VPN type should they use?